Nominet, the authorized registrar for .uk domain names and one of the biggest country code registries worldwide, has exposed a major cybersecurity breach associated with a recently unearthed zero-day vulnerability in Ivanti’s Virtual Private Network (VPN) software.
The occurrence, discovered at the beginning of January 2025, represents the initial publicly verified instance of manipulation related to the crucial Ivanti Connect Secure weakness, recognized as CVE-2025-0282.
According to a report by The Register, in an email sent to clients on January 8, Nominet disclosed that it had detected dubious behavior on its network the week before last.
The corporation declared they “were informed of suspicious activity on our network towards the end of last week. The point of entry was through third-party VPN software delivered by Ivanti that facilitates our staff in accessing systems remotely.”
CVE-2025-0282, a critical stack-based buffer overflow vulnerability with a CVSS rating of 9.0, permits unauthenticated remote code execution on impacted systems. This flaw has an impact on Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways.
Exploitation of Vulnerability
Cybersecurity professionals have associated the exploitation of this vulnerability with alleged Chinese state-sponsored hackers, who have been carrying out attacks since the middle of December 2024.
Despite the breach, Nominet has reassured its clients that there is currently no proof of data theft or leakage. The organization also noted that it has not discovered any trapdoors or other unauthorized means of accessing its network.
Nominet oversees more than 11 million .uk domains and runs crucial infrastructure, such as the Protective Domain Name Service (PDNS) for the UK’s National Cyber Security Centre (NCSC).
In reaction to the event, Nominet has integrated additional protections, including limiting entry to its systems through VPN connections. The company has also informed pertinent authorities, including the NCSC, and is proceeding with its investigation supported by external cybersecurity specialists.
The zero-day exploitation by Ivanti has sparked notable unease within the cybersecurity sector. Mandiant has identified the perpetrators as affiliated with the UNC5337 group, which is linked to UNC5221, the threat actors behind analogous attacks on Ivanti products in January 202.
The ongoing campaign involves the deployment of both known and innovative malware types, such as Spawn, Dryhook, and Phasejam.
Ivanti rolled out patches for vulnerable Connect Secure versions on January 8, 2025, coinciding with the public disclosure of the zero-day. Nevertheless, remedies for Policy Secure and Neurons for ZTA Gateways are foreseen by January 21, which could possibly expose certain customers.
According to the findings reported by cybersecurity firm Censys, there are 33,542 exposed instances of Ivanti Connect Secure worldwide, with significant clusters in the United States and Japan.
As the circumstances continue to develop, cybersecurity experts recommend that organizations utilizing Ivanti products swiftly implement available patches, launch thorough investigations to detect potential breaches, and stay alert for further attempted exploits.
The article UK Domain Registry Nominet Confirms Cyber Attack Exploiting Ivanti RCE Zero-Day appeared first on Cyber Security News.